One Hacker Could Have Taken Control of Macs Used by IT Professionals

By

A hacker managed to compromise Homebrew, a package manager widely used by developers.

Underneath all the shiny gloss of High Sierra and Mojave, macOS is Unix. One of the reasons sysadmins, developers, and even security experts use macOS is they get access to Unix tools and utilities along with the polish of Apple. However, unlike its cousin Linux, macOS doesn’t come with a massive library of Unix tools. You can fire up the terminal and do things like rsync, dd, or cron. But if you want support for more languages and packages, you need to install third party package managers. Homebrew is one of the most popular package managers for macOS. It’s fully open source and puts a huge range of packages at the disposal of macOS users. However, a minor flaw in Homebrew could have given a bad actor complete control of all those shiny MacBooks.

A hacker named Eric Holmes discovered that Homebrew published their GitHub API token key in plaintext.

“This is essentially an access key that, when inserted into web requests made to Homebrew’s GitHub account, tells the server what access rights to grant to those requests,” said Paul Ducklin,Senior Security Advisor, Sophos.

Once he had the token, Holmes used it to gain read-and-write access to Homebrew’s GitHub content. He could have hacked almost every single package on Homebrew infecting all users running Homebrew on their systems. What’s more worrisome is that the most downloaded Homebrew package in the last 30 days was ‘openssl’, a package for securely connecting to computers on a network. Holmes  informed the Homebrew crew and they fixed it within a matter of hours.

The moral is, just because it’s open source does not mean that it’s safe. Open source projects still need to follow some best practices and take extra precautions.

Source: https://nakedsecurity.sophos.com/2018/08/10/how-one-man-could-have-hacked-every-mac-developer-73-of-them-anyway/

08/14/2018

Related content

  • Automated compliance testing with InSpec
    Don't equate compliance through certification with security, because compliance and security are not the same. We look at automated compliance testing with InSpec for the secure operation of enterprise IT.
  • macOS Under Attack
  • If You Don't Like Security Guys, Call a Hacker
    Many years ago on a school field trip to the local police station, I noticed a bumper sticker on a cop's cruiser that read: "If you don't like Cops, next time you're in trouble call a Hippie."
  • New versions of the Endian and Sophos UTM solutions
    UTM systems combat all kinds of dangers under the policy of Unified Threat Management. The demands and expectations of customers fuel competition. Two of the most popular manufacturers – Endian and Sophos – have now released new versions of their solutions.
  • Proactive Monitoring
    System administrators usually take action after monitoring software indicates the failure of a service or server. In contrast to this reactive approach, a proactive monitoring solution with Riemann allows admins to detect problems in advance.
comments powered by Disqus